A January 26 Digital Transactions News article discusses Robert Carr’s call for end-to-end encryption. The Heartland press release that drove all of the media stories around that time states that, “For the past year, Carr has been a strong advocate for industry adoption of end-to-end encryption – which protects data at rest as well as data in motion – as an improved and safer standard of payments security. While he believes this technology does not wholly exist on any payments platform today, Heartland has been working to develop this solution and is more committed than ever to deploying it as quickly as possible.” Mr. Carr’s call for encryption appears to have been unknown to the public as the earliest reference of encryption a Google search could uncover was in Heartland’s 2008 annual report. Given Heartland’s fiscal year ends on December 31, it is likely the statement on encryption in the annual report was written about the same time as the press release.
In response to Mr. Carr’s call for end-to-end encryption, Kevin Nixon argues in a March 24 article that end-to-end encryption is “bad medicine.” So, what is meant by end-to-end encryption, the “one brief point” where cardholder data is exposed and why is this discussion creating such a stir?
In this post, I would like to discuss the “one brief point” comment. Based on my experience with credit card processing, depending on where you are in the process, there can be more than just one “brief point.” In fact, “brief“ may also be a misnomer. Depending on the process, there could be numerous points where cardholder data is exposed.
Let us look at this from the merchant’s perspective. For merchants using dial-up terminals, there is truly only one potential “brief point” of exposure between the terminal and the connection with the processor. However, this exposure requires that the dial-up line be wire tapped and the electronic transmissions be recorded. Given that a merchant with dial-up does not have a high volume of credit card transactions and that wire-tapping is a very serious federal felony, the risk of this occurring is low as the payback is also very low.
For merchants that use integrated POS, the first exposure point that can exist is between the credit card terminal and the POS solution. This point exists because of the multitude of terminals that could possibly be connected to the POS. Since POS vendors do not always have the resources to develop interfaces for every possible combination of credit card terminals, they develop interfaces to the most popular terminals following the 80/20 rule. This compatibility issue has gotten less and less of a problem over the years as the terminal vendors adopted USB and other standard connectivity solutions to connect the terminals to the POS. However, most POS vendors have made the wrong assumption that the connection between the terminal and the POS is secure which may or may not be true.
Then there is the connection between the integrated POS and the processor. For large merchants that perform their own transaction switching, the connection between the POS and the internal switch can sometimes be unencrypted and that can be another point of exposure. Interestingly enough, the connection between the merchant and the processor can also be an exposure point. I cannot tell you the number of large processors that even up to a year ago were still struggling with getting connections to merchants encrypted. And if a merchant’s connection to their processor is a private circuit, it is likely not encrypted because the PCI DSS does not require it.
Another exposure point is settlement. While settlement is usually conducted over private circuits, it is typically done using FTP to transfer files between the merchant and the processor. Some processors have moved to transferring settlement files via secure FTP, but have not necessarily moved all of their merchants to secure FTP. As a result, there is potential risk in the fact that standard FTP is used during the settlement process.
These are just the obvious risks to cardholder data security. Based on all of the custom solutions implemented by merchants and processors, there are unique risks present throughout the cardholder data flow. As a result, each instance presents its own unique challenges to provide adequate security. This is why securing cardholder data can be daunting.
In my next post, I will examine the definition of ‘end-to-end encryption’.
PCI Guru 
What is the problem with settlement, though? It does not include card numbers, I hope?
Sometimes settlement can contain card numbers when transactions get batched because of communication issues or because that merchant batches transactions for processing at EOD. Granted, communication breakdowns may be rare, but they do happen. In the case of batch EOD processing, I’m surprised at how many merchants take this approach.